SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  Blosxom Vendors:  blosxom.com
Blosxom Input Validation Holes in 'writeback' Plugin Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1010430
SecurityTracker URL:  http://securitytracker.com/id?1010430
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 8 2004
Impact:  Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 2.0
Description:  An input validation vulnerability was reported in Blosxom. A remote user can conduct cross-site scripting attacks.

Kyle Maxwell reported that the optional 'writeback' plugin does not properly filter HTML code from user-supplied input in the comments. A remote user can craft a comment that includes scripting tags but has a carriage return before the closing bracket of the scripting tag to bypass the filtering mechanism. As a result, a remote user can submit specially crafted text that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Blosxom software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The original advisory, including demonstration exploit code, is available at:

http://kylem.xwell.org/blosxom.cgi/tech/security/km-2004-01.html
Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Blosxom software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:  No solution was available at the time of this entry.

The author of the report has provided an unofficial patch using 'HTML::Entities', available at:

http://kylem.xwell.org/wb.patch
Vendor URL:  www.blosxom.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  Kyle Maxwell <kylem@xwell.org>
Message History:   None.

 Source Message Contents
Date:  Mon, 07 Jun 2004 22:29:26 -0500
From:  Kyle Maxwell <kylem@xwell.org>
Subject:  KM-2004-01: Cross-Site Scripting in Blosxom writeback

 

Security Advisory KM-2004-01: Cross-Site Scripting in Blosxom writeback

Affected Application:
Blosxom (http://www.blosxom.com)

Severity: Medium to high (typical XSS impacts)

Introduction:
Blosxom, a weblog tool, has an optionally-installable plugin commonly
used for allowing users to post comments or trackbacks to entries in a
weblog, called writeback
(http://www.blosxom.com/plugins/input/writeback.htm). The filtering
function in all Blosxom 2.0 writeback version,s including the latest
(2004-02-19), is vulnerable to a simple bypass, allowing attackers to
embed scripts in their comment that will be run by any client viewing
the page.

Discussion:
In the writeback plugin, the code to filter out tags is a simple regular
expression: "s/<.*?>//mg". So entering scripts as
"<script>alert('test');</script>" will get filtered into
"alert('test');" and no code will be executed by the client.

This allows a straightforward bypass by using carriage returns before
the closing bracket in the script tags, so that the tags do not meet the
regular expression but are still interpreted as tags by browsers.
Additional bypassing methods may be possible using the existing
filtering.

Impact:
Attackers can take any action that the client permits the site to do,
including retrieving any cookies used on the site (even if they are not
Blosxom-related), exploiting browser vulnerabilities, rewriting the
page, etc. The overall impact of XSS vulnerabilities is well-known; see
References below if needed.

Solution:
Implement a more robust filtering scheme. One alternative would be to
replace "<" and ">" characters with "&lt;" and "&gt;"
 and other
sensitive characters with the appropriate HTML entities. Another would
be to only allow certain characters, such as alphanumerics and a few
additions. See References below if needed. An additional solution has
been proposed by Ivan Grynov at
http://groups.yahoo.com/group/blosxom/message/8034. The author has
chosen not to implement these solutions at this time, though the code is
undergoing a complete overhaul and may thus not be vulnerable in 3.0

A copy of this advisory (including very simple proof-of-concept code) is
available at
http://kylem.xwell.org/blosxom.cgi/tech/security/km-2004-01.html.
Additionally, a patch using HTML::Entities is available at 
http://kylem.xwell.org/wb.patch.

References:
http://www.cert.org/tech_tips/malicious_code_mitigation.html
http://www.technicalinfo.net/papers/CSS.html
http://www.perl.com/pub/a/2002/02/20/css.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC